Restrict access based off source network

OK - i'm officially lost here. I put in the irule I first posted. However, it seemed to discard anything, I couldn't get to the page from a host specified by network or specifically. I added in the log value and saw it in the logs, but the page no workie. I removed the discard piece and could access the pages. Unfortunately, I could access them from hosts not specified in my datagroup. Where is this breaking down???

  
 when HTTP_REQUEST {  
 if {  ([HTTP::uri] contains "Test.jsp") or ([HTTP::uri] contains "Stats.jsp") and not ([matchclass [IP::client_addr] equals [$::ips_internal]]) } {  
 log local0. "test connection from [IP::client_addr] to [HTTP::uri]" }  
 }  
 

From log:

Sep 16 16:46:07 tmm tmm[959]: Rule secure_test : test connection from to /templates/Test.jsp

Sep 16 16:46:31 tmm tmm[959]: Rule secure_test : test connection from to /templates/Test.jsp

Goal: restrict access to the 'test.jsp' and 'stats.jsp' from anyone except specific internal networks, rest of site needs to remain open to anyone.

Edit: Actually, since I removed the 'discard' for testing, I know that's why it's allowing anyone not in my datagroup to access those pages. However, shouldn't I only see in the logs, hosts/networks specified in my datagroup?

-DarkSide